Trends in ransomware

Ransomware is a very powerful weapon, causing a disproportionately high amount of disruption for the financial gain. Year 2017 was the year of ransomware. So was 2018. In 2019, things became much worse. In 2020 we are again reaching all-time highs in ransomware in terms of prevalence but also in business disruption caused. In this article, we look into how ransomware has evolved over the years, and consider the current trends.

Article by Mikko Peltonen

Let’s go back a couple of years. Ransomware has been around for quite a long time. Already in 2013-2014 there were ransomware strains such as CryptoLocker and Cryptodefence. The first real game changer in this business though was the simple invention of wormable ransomware such as WannaCry. This combined the ransomware payload (the code encrypting the files and requiring ransom in exchange) with a worm that spreads it inside the target organisation.

This was an easy and logical step in the evolution; just combining two existing malware types into one powerful weapon.

Criminal gangs target the individual person, a specific employee for example, who has been hand-picked to be the victim in a highly-specialised attack.


Data stealing ransomware

In 2020, the ransomware business has further evolved, and the criminal gangs have come up with new business models. The rise of the new type of attack that first encrypts, then steals your data have been anticipated in the industry for years, and in 2020 this has unfortunately materialised.

Even if you were well enough prepared to recover from an eventual attack with backups, you would still need to pay the criminals “hush money” to prevent them from spreading the data, or face the equally bleak prospect of hefty GDPR fines that could amount to higher costs than the ransom demand. On top of this, there is the bad publicity for your organisation. Talk about being between the rock and a hard place.

There have been real life cases of stolen data leaked by ransomware gangs by e.g. Maze and Ryak ransomware organisations. The Maze network’s modus operandi is that they publish some elementary proof in the form of data that they only can possess by having breached the company network. This can be names or contact details which are then published on their web page, which also applies public pressure for the affected organisation, forcing them to come out publicly that they have been breached.

Targeted ransomware

Another trend, alongside of data-stealing ransomware, is the rise in far more targeted ransomware attacks. Instead of a generic attack that works against many organisations (but require a low level of sophistication), the new method is to tailor the attack for the targeted company and then exploit their weaknesses.

This approach is called Human-Operated Ransomware, and it combines the raw processing power of computers and the human brain with knowledge of target, instincts and problem-solving ability.

The rise of human operated ransomware is bad news in many ways.

  1. Tools: Very sophisticated criminal tools only available for well-equipped criminal gangs such as 'zero day' vulnerabilities may be used in the attacks. Compared with the run-of-the-mill ransomware that preys on those who are not adequately patching and protecting themselves with up to date malware protection, the rate of success for a skilled human attacker with the precision tools to penetrate the chosen organisation is very high.
  2. Skills: cybercrime gangs have decade-long experience in data breaches. They know what and where to look for, how to fly under the radar and maintain foothold in the environment for extended periods of time.
  3. Time horizon: These gangs are well funded and are not in for a quick cash. They can take all the time they need: weeks, months or years, to gather as much data as they believe it will take for a jackpot.

Criminal strategy

It is obvious that the gangs have shown a change in strategy in monetising from ransomware. Previously, attackers sent a large number of spam emails to multiple addresses with a generic attack payload.

Today, the recipient is hand-picked and carefully targeted, receiving a highly specialised and well-crafted attack, which specifically exploits their weaknesses. This requires higher sophistication, but also unlocks the possibility of tailoring the ransom demand to maximise earning potential and increase the likelihood of payment.

Using an automotive analogy, this is a strategy change from making all-purpose cars that work well enough for most everyday use to building a Formula 1 car that has been optimised for just one narrow set of circumstances, fine-tuned to be really, really good at what it has been designed to do. Or consider a mass-produced fast fashion item that anyone can wear but gets the best out of nobody, to a haute couture piece tailored specifically for the individual client.

In summary, there are two new features with regards to how ransomware gangs are operating, both obviously aiming at maximising their profits:

  • an added earning logic, on top of the lucrative basic concept from demanding ransom to decrypt the files, but now also stealing the data, making it possible to exploit the targeted company twice on a single attack.
  • changed strategy from mass spreading to targeted attacks and human-operated ransomware, making attacks harder to fend off and adjusting the ransom demand to match the pain threshold of the target organisation, to maximise earning potential.

This means that if you are the unlucky chosen target of one of these attacks, the chances are very high that the adversary will eventually succeed.

Is there any good news in this?

Yes, there is. Most of these threats can still be defeated with elementary means: basic hygiene measures, such as keeping internet facing assets rigorously patched, applying the principle of least privileges everywhere, and deploying a properly configured host firewall to all eligible workstations goes a long way.